[BUG] "Threat Indicator Match" Row Renderers information is not available in doc under the new features for 7.13

[ghost]

Description: "Threat Indicator Match" Row Renderers information is not available in doc under the new features for 7.13

URL link or topic name:

• https://www.elastic.co/guide/en/security/current/whats-new.html
• https://www.elastic.co/guide/en/security/current/alerts-ui-manage.html

Ticket:
elastic/kibana#96275

Screenshots:

[ghost]

@manishgupta-qasource Please review!!

[manishgupta-qasource]

Reviewed & Assigned to @jmikell821

[nastasha-solomon]

@deepikakeshav-qasource thanks for filing this! I was hoping you could clarify whether you're also requesting that docs about the Threat Indicator event renderer to be added to the Manage detection alerts topic. Currently, the topic describes how to locate and configure event renderers for the Alerts table, but doesn't describe the individual event renderers as those are already defined in the Security app's UI.

@jmikell821 I pulled the following description of the Threat Indicator event renderer from the 7.13 blog. I've made some minor modifications, but feel free to tweak it even more before you add it to the "What's new" topic:
A new event renderer was added for alerts generated by indicator match rules. This event renderer presents details about the matched IoC in a semantic format for quick analyst comprehension.

Also @jmikell821 These features were mentioned in the 7.13 blog entry, but not documented under “What’s new” for 7.13:

• Surface threat intelligence within analyst workflows
  • Timeline template for detection alerts generated by indicator match rule type: 7.13 adds a timeline template for alerts generated by indicator match rules, accelerating investigations by surfacing the most relevant details on the Timeline workspace.
  • Support for MalwareBazaar threat feed from abuse.ch: 7.13 expands the Threat Intel module for Filebeat to support ingestion of the MalwareBazaar feed from abuse.ch. MalwareBazaar facilitates the sharing of malware samples across the security community, helping practitioners make the modern world a safer place. In Elastic Security, this contextual data can be applied to automated detection use cases via the indicator match rule type, as well as give analysts direct access to information valuable to various hunting and incident response use cases.
• Advanced detection techniques for advanced threats
  • Detect advanced threats with ML jobs in Network Module: Security research engineers at Elastic have developed a new set of machine learning jobs that spot anomalies in network behavior that could reveal an advanced threat by spotting command-and-control connections, attempted data exfiltration, and other suspicious or malicious activity.
  • Anomalous parent-child ML model: Security research engineers at Elastic recently detailed a way to use both supervised and unsupervised ML to detect living-off-the-land binaries (what the cool kids call LOLBins) that would otherwise escape detection by blending into the noise of other system programs.
• Endpoint security enhancements
  • Process tampering detection: Elastic now enables the detection of process tampering, including attacks like Process Doppelgänging and Process Herpaderping. Whether you’re using Elastic Agent or Winlogbeat, you can automate the detection of process tampering.
  • EICAR detection: Elastic Security 7.13 simplifies operations by adding the EICAR signature to the default diagnostic malware signatures used for Elastic Agent, supporting automated testing for malware systems on Windows, macOS, and Linux.
• Data integrations
  • CyberArk Privileged Access Security integration: CyberArk worked with Elastic to build a robust integration with their Privileged Access Security (PAS) solution, providing optimal ingestion and parsing of this valuable data source. Analyzing these events alongside other environmental data enables analysts to spot threats employing misused privileged accounts to advance along the cyber kill chain. The integration also includes the mighty sharp dashboard pictured below.
  • Standalone XML processor for Windows events: Elastic Security now offers a new way to parse and ingest Windows events in XML format residing in a non-Windows system.
  • Forward Windows events from legacy SIEM: Version 7.13 now supports the ingestion of Windows events via the third-party and legacy SIEM connector.
  • Sysmon event collection update: The Sysmon module for Winlogbeat has been updated in a small but important way: it now supports Event 24 (clipboard change) and Event 25 (process tampering). Whether you’re using Agent or Winlogbeat, you can collect events revealing process tampering.
  • Support for ECS 1.9: All Agent and Beats data integration modules have been updated to ECS 1.9.

[nastasha-solomon]

@jmikell821 one more comment - Outside of the Threat Indicator event renderer, the following enhancements were also documented in the 7.13 release notes, but not called out in “What’s new”:

• Fetches detection adoption metrics (#97789).
• Updates fields with Beats metadata (#97719).
• Updates detection alert mappings to ECS 1.9 (#97573).
• Adds the Security Network ML Module to the list of available jobs (#97014).
• Updates MITRE tactics, techniques, and subtechniques (#97011).
• Improves user experience duplicating rules (#96760).
• Rebuilds nested fields structure from field’s response (#96187).
• Combines multiple timestamp searches into a single request (#96078).
• Adds the Indicator Match Timeline template (#95840).
• Fetches additional detection rule adoption metrics (#95659).
• Adds HTTP endpoints for the Timeline (#95036).

[ghost]

Hi @nastasha-solomon

Our concern is to add the information in what's new page only.

Screenshots:

what's new

Thanks!!

[jmikell821]

@nastasha-solomon I'll take care of the What's New fix. If there's anything else you all may see missing, please let me know so I can put it in a new PR - thanks!